A clean room reverse engineering project of the official Xbox MN-740 Wireless Bridge, specifically how it interacts with the Xbox's dashboard. The original goal was to look for a juicy buffer overflow on the Xbox side, but since there weren't any, those results can still be used for educational purposes.
This repo currently contains the following bits:
- A more-or-less working emulator of the wireless adapter, works both with a real Xbox and Xemu;
- An more or less complete description of the communication protocol between the console, wireless adapter and the firmware update tool.
- Debug symbols for the
xonlinedash.xbeversion185ead00 (MD5: 8149654a030d813bcc02a24f39fd3ce9)in a form of Ghidra XML. - Debug symbols for the
NML.MEMversion1.0.2.26(extracted from the mn740Update.exe) in a form of Ghidra XML. - A description of the serial command line interface.
- A series of debug captures setting up and connecting to various networks and altering various settings for verification and examples of the XPP_protocol
- A Linux system. The emulator need to be able to open a raw ethernet socket which is possible out of the box in Linux. Windows will require additional changes to the emulator to use Npcap with a compatible Python packet manipulation library such as Scapy or pcap-ct, macOS may probably require some additional changes;
- A copy of one of the following files:
- The
xonlinedash.xbeversion185ead00 (MD5: 8149654a030d813bcc02a24f39fd3ce9), or; - The MN-740 firmware
NLM.MEMversion01.00.02.0021 (MD5: A9A58ADC4CEAEC337BAAB64F018FBA7F). You can obtain this file by:- Downloading the
mn740Update.exetool (MD5: c0ebb3f7fb5794f0952692a0b4922abd, can be obtained here); - Running the executable, it will place the file
MN740_01.00.02.0021_RUNTIME.binfile into the temp directory; - Extracting the file with the WinArj or a similar extraction tool, it will extract the
NLM.MEMfile.
- Downloading the
- The
Note: these files are copyrighted material by Microsoft and are needed for the emulator to work. Needless to say they can't be distributed, so it will be extracted from the binary provided by the user.
-
First of all, you need to extract some secrets from either the console or the mn-740 firmware update. You can do this by running
$ python3 extract_secrets.py <path_to_file> -
Now you can run the emulator itself:
$ sudo python3 emulator.py <network_interface>
Superuser privileges are required for opening a raw ethernet socket.
As for the network interface - for a real Xbox, provide the name of the network adapter connected to same network as the Xbox; for Xemu, bind both Xemu and emulator to the same network interface,loworks just fine for this purpose.